{
	"id": "d925430a-5fd2-4356-8c9c-314b6fb4315b",
	"created_at": "2026-04-06T00:07:48.723328Z",
	"updated_at": "2026-04-10T03:21:25.36101Z",
	"deleted_at": null,
	"sha1_hash": "dac6db8359b650fa5960a41568dcce9221418c55",
	"title": "How to recover files encrypted by Yanluowang",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 893800,
	"plain_text": "How to recover files encrypted by Yanluowang\r\nBy Marc Rivero\r\nPublished: 2022-04-18 · Archived: 2026-04-05 20:09:14 UTC\r\nYanluowang is a type of targeted ransomware discovered by the Symantec Threat Hunter team as they were\r\ninvestigating an incident on a large corporate network. Kaspersky experts have found a vulnerability in the\r\nYanluowang encryption algorithm and created a free decryptor to help victims of this ransomware with recovering\r\ntheir files.\r\nYanluowang description\r\nThe ransomware is relatively recent, its name a reference to the Chinese deity Yanluo Wang, one of the Ten Kings\r\nof Hell. Unfortunately, we do not know much about the victims. According to Kaspersky Security Network data,\r\nattacks have been carried out in the United States, Brazil, Turkey and a few other countries. The low number of\r\ninfections is due to the targeted nature of the ransomware: threat actors prepare and implement attacks on specific\r\ncompanies only.\r\nhttps://securelist.com/how-to-recover-files-encrypted-by-yanlouwang/106332/\r\nPage 1 of 6\n\nGeography of the Yanluowang attacks, December 4th, 2021 – April 8th, 2022 (download)\r\nIn the ransom note, the cybercriminals demand not to contact law enforcement and not ‘keep them for fools’:\r\nThe ransomware program has the functionality to terminate virtual machines, processes and services. This is\r\nnecessary to make files used by other programs available for encryption. The main parts of stopped services and\r\nprocesses include databases, email services, browsers, programs for working with documents, security solutions,\r\nbackups and shadow copy services.\r\nLists of stopped services and processes\r\nAccording to public information about the ransomware, it is only used in targeted attacks rather than in other RaaS\r\nfamilies. Yanluowang itself needs parameters to be executed in the system, meaning it will be executed either\r\nmanually or through a combination of scripts in the compromised system. The available syntax in the ransomware\r\nis:\r\nencrypt.exe [(-p,-path,--path)\u003cpath\u003e]\r\nThe Sosemanuk stream cipher is used to encrypt files, its key then encrypted using the RSA-1024 asymmetric\r\nalgorithm. The RSA public key itself is embedded in the program but additionally encrypted with the RC4 stream\r\ncipher whose key is a string and also embedded in ransomware. Files before and after encryption:\r\nhttps://securelist.com/how-to-recover-files-encrypted-by-yanlouwang/106332/\r\nPage 2 of 6\n\nWhen the encryption process is completed, the file extensions will be changed to .yanluowang\r\nYanluowang divides files into big and small along a 3 GB threshold. Small files are encrypted completely from\r\nbeginning to end, big files are encrypted in stripes: 5 megabytes after every 200 megabytes.\r\nhttps://securelist.com/how-to-recover-files-encrypted-by-yanlouwang/106332/\r\nPage 3 of 6\n\nThe encryption code for big files\r\nAfter a file is encrypted, an RSA-encrypted Sosemanuk key is written to the end of it. The encrypted endfile block\r\nhas a size of 1024 bytes.\r\nAn encrypted block with a Sosemanuk key\r\nFiles decryption\r\nKaspersky experts have analyzed the ransomware and found a vulnerability that allows decrypting files of affected\r\nusers via a known-plaintext attack. All that was required for this to work was added to the Rannoh decryption tool.\r\nhttps://securelist.com/how-to-recover-files-encrypted-by-yanlouwang/106332/\r\nPage 4 of 6\n\nTo decrypt a file, you should have at least one original file. As mentioned earlier, the Yanluowang ransomware\r\ndivides files into big and small files along a 3 gigabyte threshold. This creates a number of conditions that must be\r\nmet in order to decrypt certain files:\r\nTo decrypt small files (less than or equal to 3 GB), you need a pair of files with a size of 1024 bytes or\r\nmore. This is enough to decrypt all other small files.\r\nTo decrypt big files (more than 3 GB), you need a pair of files (encrypted and original) no less than 3 GB\r\nin size each. This will be enough to decrypt both big and small files.\r\nBy virtue of the above points, if the original file is larger than 3 GB, it is possible to decrypt all files on the\r\ninfected system, both big and small. But if there is an original file smaller than 3 GB, then only small files can be\r\ndecrypted.\r\nIndicators of Compromise\r\nKaspersky solutions detect and protect against this ransomware, detecting it as Trojan-Ransom.Win32.Yanluowang with File Threat Protection and proactively as PDM:Trojan.Win32.Generic with\r\nBehavior Detection.\r\nMD5\r\nafaf2d4ebb6dc47e79a955df5ad1fc8a\r\nba95a2f1f1f39a24687ebe3a7a7f7295\r\nPiece of advice\r\nStill, it is important for a company to have a security solution that would enable instant response to such\r\nransomware threats in order to avoid large financial losses. Yanluowang was deployed in targeted human-operated\r\nattacks. As usual in such cases, we would like to remind you that a comprehensive cybersecurity strategy is\r\nrequired to protect against this type of threats.\r\nHere are Kaspersky’s recommendations for staying safe from ransomware attacks:\r\nDo not expose remote desktop services (such as RDP) to public networks unless absolutely necessary, and\r\nalways use strong passwords.\r\nPromptly install available patches for commercial VPN solutions that provide access for remote employees\r\nand act as gateways to your network.\r\nAlways keep software up to date on all your devices to prevent ransomware from exploiting vulnerabilities.\r\nFocus your defense strategy on detecting lateral movement and data exfiltration to the Internet. Pay special\r\nattention to outgoing traffic to detect cybercriminals’ connections.\r\nBack up data regularly. Make sure you can quickly access your backups in an emergency.\r\nTo protect the corporate environment, educate your employees. Dedicated training courses can help, such\r\nas the ones provided on Kaspersky Automated Security Awareness Platform.\r\nUse the latest Threat Intelligence information to stay on top of actual TTPs used by threat actors.\r\nUse solutions like Kaspersky Endpoint Detection and Response and Kaspersky Managed Detection and\r\nResponse service which help to identify and stop an attack in the early stages, before attackers can achieve\r\nhttps://securelist.com/how-to-recover-files-encrypted-by-yanlouwang/106332/\r\nPage 5 of 6\n\ntheir objectives.\r\nUse a reliable endpoint security solution, such as Kaspersky Endpoint Security for Business, that is\r\npowered by exploit prevention, behavior detection and a remediation engine capable of rolling back\r\nmalicious actions. KESB also has self-defense mechanisms that can prevent its removal by cybercriminals.\r\nSource: https://securelist.com/how-to-recover-files-encrypted-by-yanlouwang/106332/\r\nhttps://securelist.com/how-to-recover-files-encrypted-by-yanlouwang/106332/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/how-to-recover-files-encrypted-by-yanlouwang/106332/"
	],
	"report_names": [
		"106332"
	],
	"threat_actors": [],
	"ts_created_at": 1775434068,
	"ts_updated_at": 1775791285,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dac6db8359b650fa5960a41568dcce9221418c55.pdf",
		"text": "https://archive.orkl.eu/dac6db8359b650fa5960a41568dcce9221418c55.txt",
		"img": "https://archive.orkl.eu/dac6db8359b650fa5960a41568dcce9221418c55.jpg"
	}
}